• October 03, 2024, 12:42:46 PM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  

News:

This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Author Topic: Can't chain 2 IPv6 routers : DIR 818LW IPv6 ingress filtering problem  (Read 13296 times)

network1027

  • Level 2 Member
  • **
  • Posts: 27

Model/Firmware : DIR-818LW_REVB_FIRMWARE_PATCH_2.05.B01.ZIP

Network topology : PC1-----DIR626L------DIR818LW-----Internet

Hi  :D

The DIR818LW doesn't allow PC1, which is behind the DIR626L, to access the Internet using IPv6 ( See Network topology above ).
It seems to be caused by the DIR818LW IPv6 firewall : If I disable IPv6 Simple Security, PC1 can access Internet using IPv6.

Disabling IPv6 Simple Security on the DIR 818LW is the only functioning workaround I did find yet :
disabling anti-spoof checking or ingress filtering did not solve the problem

I have had that same issue with my DIR626L, which was caused by the Ingress Filtering that was only
implementing Interface subnet check instead of Reverse Path Forwarding check. I could solve it on the DIR626L by setting :
. IPv6 simple security : ON
. Firewall : ON and allow out rules
. Rule 1 : Allow everything out from Lan to Wan

Sadly, this isn't functioning with the DIR818LW.

I need IPv6 Simple Security.
If this can't function, I'll have to remove my DIR818LW from its core-router role. Sad ... :'(

Any help or clue are welcomed, I really need to use several subnets  :D

PS: ( Beside, they seem to have give up the :: wildcard, so the IPv6 rules seem to require whole ranges, like 1::1-FFFF::FFFF as catch all rules. Is there a new wildcard for IPv6? anybody knows it ? )
« Last Edit: January 10, 2016, 01:19:52 AM by network1027 »
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: Can't chain 2 IPv6 routers : DIR 818LW IPv6 ingress filtering problem
« Reply #1 on: January 10, 2016, 11:11:51 AM »

I think the only thing you can do is the set up the 818LW as a wired 2nd AP and let the 826L be the main host router:
Turning a router into an AP.
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

Hard Harry

  • Guest
Re: Can't chain 2 IPv6 routers : DIR 818LW IPv6 ingress filtering problem
« Reply #2 on: January 10, 2016, 11:51:32 AM »

What type of IPv6 are you using?
Logged

PacketTracer

  • Level 4 Member
  • ****
  • Posts: 441
Re: Can't chain 2 IPv6 routers : DIR 818LW IPv6 ingress filtering problem
« Reply #3 on: January 10, 2016, 12:40:51 PM »

Hi,

please have a look at this thread, where we lengthy discussed what 'Simple Security' might mean, especially if it is combined with any non switched off ipv6 firewall settings.  Can you tell me the answer? Wouldn't it be enough if you configured

  • IPv6 simple security : OFF
  • Firewall : ON and allow out rules
  • Rule 1 : Allow everything out from Lan to Wan

on your DIR818LW?

For your second question (how to specify IPv6 ranges): Yes there are several tastes how they have to be configured in the D-Link boxes. For your device it looks like you have to configure the range from :: to ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff, in order to express 'any ipv6 address'.

For a survey of problems found with D-Link's ipv6 firewalls also look here.

PT

EDIT:

The reason for your problem is probably the same as described somewhere in the 1. thread I mentioned above, and I copy it here (just exchange '626l' with your device DIR818LW) :

Quote
Ingress Filtering in this case is an option in the firewall, that defeats spoofed source address packets to leave our  network and enter the ISP network. ( RFC 2827 / RFC 3704 )
...
the problem is the implementation : as the 626L is a consummer product, it just compares for each outgoing packet the source IP to the Lan interface subnet. In case of mismatch, the packet is dropped.
If you link up two routers, packets from the innermost subnet are dropped by the outter router.

The only solution : to create an 'allow out ' rule on the outtermost Router to override the ingress filter.
Beside, IPv6 Simple Security automatically turns on Ingress Filter, which is logical.

EDIT2:
Hi network1027,
how stupid I am, it was just this moment when I realized that it is you who initiated the thread that I referred to at the beginning - hence I copied your own answer. But then: why did you ask again, if you exactly know the reason of your problem?

PT
« Last Edit: January 10, 2016, 01:20:30 PM by PacketTracer »
Logged

network1027

  • Level 2 Member
  • **
  • Posts: 27
Re: Can't chain 2 IPv6 routers : DIR 818LW IPv6 ingress filtering problem
« Reply #4 on: January 12, 2016, 05:10:45 AM »

What type of IPv6 are you using?

I'm using native IPv6. I tried both link-local and static Global Unicast Address IPv6 for the DIR818LW Wan setting during the tests.
« Last Edit: January 12, 2016, 05:44:54 AM by network1027 »
Logged

network1027

  • Level 2 Member
  • **
  • Posts: 27
Re: Can't chain 2 IPv6 routers : DIR 818LW IPv6 ingress filtering problem
« Reply #5 on: January 12, 2016, 05:17:04 AM »


EDIT2:
Hi network1027,
how stupid I am, it was just this moment when I realized that it is you who initiated the thread that I referred to at the beginning - hence I copied your own answer. But then: why did you ask again, if you exactly know the reason of your problem?

PT

Hi PacketTracer  :D

I instantly suspected an Ingress Filtering problem, but :
. my DIR626L trusty old trick isn't functioning with the DIR818LW
. I'm not sur this is an Ingress Filtering problem here : unlike with the DIR626L, I can un-tick the Ingress Filtering checkbox while keeping IPv6 Simple Security ticked, but it doesn't solve the problem

I post my new tests results just next  :)
Logged

network1027

  • Level 2 Member
  • **
  • Posts: 27
Re: Can't chain 2 IPv6 routers : DIR 818LW IPv6 ingress filtering problem
« Reply #6 on: January 12, 2016, 05:34:56 AM »

I made some extensive tests, using a native IPv6 connection ( Global Unicast Address ), testing with both :
. Wan static GUA address
. Wan link-local connection to the Internet Gateway

I always get the same results. Here is the network topology :

                               PC1-----|                   PC3-----|
PC2----------DIR626L-----------|DIR818LW------------|Internet

PC1 is on LAN1, PC2 is on LAN2, I test the Internet IPv6 access
PC3 is used to try to pass through the DIR818LW Wan firewall ( Firewall Wan-Lan leak test )

Here are the results :

[ Test : Lan 1 IPv6 Internet / Lan 2 IPv6 Internet / Firewall Wan->Lan leak test ]

only IPv6 Simple Security : OK / OK / not tested         
IPv6 Simple Security : OK / NO / no security
IPv6 Simple Security+Allow OUT : NO / NO / NA
Allow Out :   NO / NO / NA
IPv6 Simple Security+Deny IN : OK   / NO / no security
Deny IN : OK / OK / no security

Here are the conclusions in understandable english language :

. with IPv6 Simple Security, PC2 can't access the Internet
. The IPv6 Firewall Wan-->Lan protection is never functionning
. The IPv6 firewall Allow mode is never functionning
. The only way to allow PC2 internet access is by disabling IPv6SS, and using firewall deny mode, deny everything in


some explainations abou the tests performed :

Only IPv6 Simple Security = no Ingress Filtering, no spoof check
IPv6 Simple Security = IPv6 Simple Security + Ingress Filtering + spoof check
IPv6 Simple Security+Allow OUT = IPv6 SS+FIrewall ON and allow mode+allow everything out rule
IPv6 Simple Security+Deny IN = IPv6 SS+FIrewall ON and deny mode+deny everything in rule

the catch all rule was made using :
from : 1::1-FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
to : 1::1-FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
protocol : ANY / 1-65535

What is really worrisome is that the IPv6 firewall is NEVER functionning. each Zenmap penetration test managed to have all its 2003 packets through the Wan firewall ...

Beside, the DHCPv6 doesn't seem to function ( as well as the DHCPv6 part of the SLAAC+Stateless DHCPv6 mode : no DNS received )

Can anybody confirm these strange results ?   ;D
« Last Edit: January 12, 2016, 05:58:10 AM by network1027 »
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: Can't chain 2 IPv6 routers : DIR 818LW IPv6 ingress filtering problem
« Reply #7 on: February 02, 2016, 07:33:11 AM »

I recommend that you phone contact your regional D-Link support office and ask for help and information regarding this. Reference this thread.
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.